Pages

Metasploitable2 Gaining Access

September 09, 2017

Gaining Access
From the scan we see a variety of open ports. Next we go through the ports and attempt to identify vulnerabilities in the services and if possible exploit them to gain access to the host. The exploits were launched from the Kali VM using the msfconsole.

Port 21 - File Transfer Protocol (FTP)

Port 21 is open and appears to be running vsftpd daemon. We identified the vsftpd_234_backdoor vulnerability an attempted to exploit it. The exploit was successful and resulted in root shell access on the Metasploitable VM.

Port 2049 is used by NFS. NFS requires remote procedure calls (RPCs) between the client and server. On contemporary systems the RPC functionality is provided by rpcbind instead of portmap. In this instance rpcbind is running on port 111.

However, more important we also have access to the /etc/shadow file. We can now use the /etc/passwd and /etc/shadow files with John the Ripper to attempt to crack some passwords. We initially use the usernames as the wordlist

The output above is truncated, but we see that we got 4 out of 7 passwords. Since we weren't able to crack all the passwords, needed to try more wordlists. Being lazy I copied the wordlists from metasploit and wfuzz into a single directory called wordlists in the root users home directory (/root) and wrote a bash script to iterate through the wordlists and continue running John the Ripper. The script accepts two argument, the first is the unshadowed file, and the second is the path to the directory containing the wordlists. Here's a copy of the script called johno.sh

Now we can separate the username and passwords into separate lists and use them in metasploit to simplify our bruteforce attacks. As we have free reign over the file system we can also navigate into the user's home directories and investigate the files and directories. After checking that /etc/sudoers and /etc/groups files we note that msfadmin is able to perform sudo functions. Thus in the msfadmin's .ssh directory we find the user@metasploitable has an authorised_key entry, further examination of the /root .ssh directory reveals that msfadmin is authorised. We are thus able to obtain the user@metasploitable and msfadmin@metasploitable private keys

We could have also generated our own SSH key pair and added the public keys to the authorized_keys file for the users, including the root user.

Port 513 - rlogin
Port 513 appears to be running rlogin which allows users to login to the Metasploitable VM over the network. Since we already know the password for the msfadmin user and know that msfadmin is a member of the admin group, which allows use of sudo, we can login as msfadmin and get root access

root@kali:~# rlogin -l msfadmin 192.168.32.102
msfadmin@192.168.32.102's password:
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

The Where are you? indicates that the Metasploitable VM is unable to determine the hostname of the Kali VM. Since we have access via SSH, and NFS, we can modify the /etc/hosts file to add "192.168.32.101 kali", and attempt the connection again

Port 514 - rsh
Port 514 appears to be running rsh. Again we already know some cracked passwords and can log in directly

root@kali:~# rsh msfadmin@192.168.32.102
msfadmin@192.168.32.102's password:
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
No mail.
Last login: Tue Dec 16 17:54:05 2014 from 192.168.32.101
msfadmin@metasploitable:~$

Port 3306 - MySQL
Port 3306 appears to be open and used by a MySQL daemon. We attempt to enumerate the users using metasploit. Initial exploit fails, but once we specify the username root, it succeeds. The exploit also demonstrates that a root password is not set, and connection to the database as root is possible, i.e. mysql -h 192.168.32.102 -p -u root. The truth is we just got lucky with this exploit.

Port 5900 - VNC
Warning: This expoit took a long time, since the VNC server was setup to lock out the host after a number of failed login attempts.
The Metasploitable VM appears to be running VNC. We used the metasploit module for vnc_login to attempt brute force. This method was not very efficient, as the VNC server would reject connection attempts after a number of failed attempts even with the brute force speed turned down to 0. I finally got the password when I used the wordlist /usr/share/metasploit-framework/data/wordlists/vnc_passwords.txt (which only contained a single "password")

Port 6667 - IRC
The Metasploitable VM hosts an unreal IRC daemon on port 6667. There appeared to be only one exploit available for this service on the metasploit framework so it was worth giving it a go, even without investigating to see if the daemon was vulnerable. The exploit gives root shell access

Port 8009 - Tomcat
Port 8009 is a tomcat reverse proxy that apache uses to communicate with Tomcat to server pages. Port 8180 runs the main admin interface for Tomcat. We need to get the admin credentials

Port 5432 - Postgresql
PostgreSQL DB 8.3.0 - 8.3.7 is listening on port 5432. Since the MySQL database was not password protected, chances are Postgresql may not be password protected either, but we've cracked some of the passwords, so it may be worth trying to brute force the password. First we attempted to use the metasploit wordlist, and then repeated with the list of usernames we has recovered. Unfortunately no additional credentials were recovered, save for the postgres:postgres credentials for the template1 database.

Port 2121 - ProFTP
Port 2121 reports to be running ProFTPD version 1.3.1. A search of www.cvedetails.com provides several potential vulnerabilities, but none appeared to be metasploitable. As we already knew the credentials, we can simply FTP to the server. During the FTP session, we make the discovery that the FTP server is misconfigured and allows users to break out of their home jail and get access to the root directory (/).